You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Edoardo Comar <ed...@gmail.com> on 2018/05/01 11:27:23 UTC
Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
While the vote is still in progress on the [VOTE] thread, (still needing an
extra binding one :-)
we have updated the PR to reflect the current KIP and noted that the check
is performed on two distinct code paths: auto-creation and explicit
creation of a topic.
Edo
On 17 April 2018 at 18:30, Vahid S Hashemian <va...@us.ibm.com>
wrote:
> Hi Edo,
>
> Thanks for addressing that concern in the KIP.
> And I agree that in the long run the create cluster permission should be
> deprecated.
>
> --Vahid
>
>
>
>
> From: Edoardo Comar <EC...@uk.ibm.com>
> To: dev@kafka.apache.org
> Date: 04/17/2018 03:52 AM
> Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics
> API
>
>
>
> Thanks Vahid,
>
> as described in the rejected section, we wanted to get feedback on the
> point :
> > An alternative that we want to discuss with the community is to favour
> compatibility rather than simplicity,
> > and consider existing "Create Cluster" permission as equivalent to
> "Create Any Topics", so that Create Cluster is allowed, skip the specific
> Create Topic check.
>
> From the few replies so far, including yours, it seems that having a
> composite check like
> allowed = "has Create Cluster OR has Create Topic(TopicName) "
>
> is the preferred way to go for backward compatibility.
>
> Though we'd like to plan a deprecation for the Create Cluster check, if
> wildcard support in ACLs will be added in the future.
>
> thoughts ?
>
> --------------------------------------------------
>
> Edoardo Comar
>
> IBM Message Hub
>
> IBM UK Ltd, Hursley Park, SO21 2JN
>
>
>
> From: "Vahid S Hashemian" <va...@us.ibm.com>
> To: dev@kafka.apache.org
> Date: 04/04/2018 16:41
> Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics
> API
>
>
>
> Hi Edo, Mickael,
>
> The intent of this KIP seems to be rather similar to KIP-231 (Improve the
> Required ACL of ListGroups API).
> The feedback I received on that KIP was to allow for backward
> compatibility, and, as a result, the Describe(Cluster) ACL was preserved;
> and a Describe(Group) ACL was introduced.
> I am wondering if both KIPs should follow the same principles in that
> regard.
>
> Thanks.
> --Vahid
>
>
>
> From: Edoardo Comar <EC...@uk.ibm.com>
> To: dev <de...@kafka.apache.org>
> Date: 03/29/2018 06:51 AM
> Subject: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
>
>
>
> Hi all,
>
> We have submitted KIP-277 to give users permission to manage the lifecycle
>
>
>
> of a defined set of topics;
> the current ACL checks are for permission to create *any* topic and on
> delete for permission against the *named* topics.
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.
> apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-
> 2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg&
> c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-
> kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s=
> DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e=
>
>
>
>
> Feedback and suggestions are welcome, thanks.
>
> Edo & Mickael
> --------------------------------------------------
>
> Edoardo Comar
>
> IBM Message Hub
>
> IBM UK Ltd, Hursley Park, SO21 2JN
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
>
>
>
>
>
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
>
>
>
>
--
"When the people fear their government, there is tyranny; when the
government fears the people, there is liberty." [Thomas Jefferson]